The vulnerability disclosure policy has been established to provide security researchers with clear guidelines for responsibly conducting vulnerability discovery activities on Mika's apps, systems and websites. It also outlines the procedures for submitting identified vulnerabilities to Mika.
This page specifies the systems and types of research covered under this program, the process for submitting vulnerability reports, and the requirements for the disclosure of submitted vulnerabilities.
If you identify a security vulnerability within our information systems, please refer to the information provided below for guidance on submitting a disclosure.
The following apps, websites and their subdomains are in scope for the vulnerability disclosure policy program.
Mika Giving App
Mika Tap App
Mika Terminal App
Mika Flex App
If you discover a domain that is not included in the above list but you believe it may be owned by Mika, please send your query to security@mikatap.com. We will inform you if the domain is in scope of the vulnerability disclosure policy program.
The following are out of scope for the vulnerability disclosure policy program:
Findings from physical testing, such as office access. For example, open doors, tailgating (the passage of an unauthorized user behind an authorized user), or compromising access cards.
Attacks requiring physical access to a user's device.
Findings derived primarily from social engineering. For example, phishing or whaling.
Findings from applications or systems not listed on the above list of websites.
UI and UX bugs and spelling mistakes.
Network level Denial of Service (DoS/DDoS) weaknesses.
Previously known vulnerable libraries without a working proof of concept.
Content spoofing or text injection.
Reports from automated tools or scans without accompanying demonstration of exploitability.
Missing best practices. For example, missing security headers, missing CAPTCHA, or insecure certs.
Insecure SSL or TLS issues. For example, ciphers or certificates.
Any form of unauthorized penetration testing of our services.
Obtaining personal information or potentially threatening the safety of our staff or customers.
Destruction or corruption of (or attempts to destroy or corrupt) data or information that belongs to Mika.
These guidelines are designed to help both you and Mika when you find a security issue with our systems. If you're doing security testing, please:
Make every effort to avoid actions that:
Make every effort to avoid actions that:
Breach the privacy of individuals.
Affect the performance of a system for our customers.
Disrupt or damage any "live" systems.
Destroy or corrupt Mika data.
Perform research only within the scope as set out above.
Delete and don't share any confidential information or personal information you might have obtained.
Keep any security issues you discover within our systems confidential between yourself and Mika until we have the opportunity to fix them.
Don't commit any illegal activity.
Don't breach any relevant laws in the country of your origin and from where the security testing is taking place.
Please report your findings to security@mikapaytech.com By emailing or providing a disclosure to us, you agree that we can use your submission and its contents to ensure the security, integrity, and reliable operation of our technology and business.
If you're uncomfortable sending any of the following content by email, you may mask or redact sensitive content. If you want to encrypt data using the PGP key, email security@mikapaytech.com and ask for one.
Please include the following information in your disclosure:
Clear description and evidence of the vulnerability, such as logs, screenshots, or web responses.
Detailed steps to reproduce the issue.
Any platforms, operating systems, or versions that are relevant.
Any relevant IP addresses or URLs.
Any supporting evidence you've collected, such as logging or tracing.
Your assessment of the exploitability or impact of the issue.
Your name, role (if appropriate) and contact details.
Upon receiving a vulnerability disclosure, we will take the following steps:
Acknowledgment: We will confirm receipt of your disclosure and provide you with a tracking number for reference. Our goal is to acknowledge all disclosures within five business days, excluding public holidays.
Clarification and communication: We will engage with you to address any queries we have regarding your disclosure.
If you act in good faith and follow this policy, then we make the following commitments to you:
a. The information that you share with us as part of this process will be kept confidential within Mika and our directly contracted suppliers; and
b. Your contact details won't be shared with third parties, without your permission; and
c. We will not initiate legal action against people attempting to find vulnerabilities within our systems who adhere to this policy.